TY - GEN
T1 - RWGuard
T2 - 21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018
AU - Mehnaz, Shagufta
AU - Mudgerikar, Anand
AU - Bertino, Elisa
N1 - Publisher Copyright:
© Springer Nature Switzerland AG 2018.
PY - 2018
Y1 - 2018
N2 - Ransomware has recently (re)emerged as a popular malware that targets a wide range of victims - from individual users to corporate ones for monetary gain. Our key observation on the existing ransomware detection mechanisms is that they fail to provide an early warning in real-time which results in irreversible encryption of a significant number of files while the post-encryption techniques (e.g., key extraction, file restoration) suffer from several limitations. Also, the existing detection mechanisms result in high false positives being unable to determine the original intent of file changes, i.e., they fail to distinguish whether a significant change in a file is due to a ransomware encryption or due to a file operation by the user herself (e.g., benign encryption or compression). To address these challenges, in this paper, we introduce a ransomware detection mechanism, RWGuard, which is able to detect crypto-ransomware in real-time on a user’s machine by (1) deploying decoy techniques, (2) carefully monitoring both the running processes and the file system for malicious activities, and (3) omitting benign file changes from being flagged through the learning of users’ encryption behavior. We evaluate our system against samples from 14 most prevalent ransomware families to date. Our experiments show that RWGuard is effective in real-time detection of ransomware with zero false negative and negligible false positive (~ 0.1%) rates while incurring an overhead of only ~1.9%.
AB - Ransomware has recently (re)emerged as a popular malware that targets a wide range of victims - from individual users to corporate ones for monetary gain. Our key observation on the existing ransomware detection mechanisms is that they fail to provide an early warning in real-time which results in irreversible encryption of a significant number of files while the post-encryption techniques (e.g., key extraction, file restoration) suffer from several limitations. Also, the existing detection mechanisms result in high false positives being unable to determine the original intent of file changes, i.e., they fail to distinguish whether a significant change in a file is due to a ransomware encryption or due to a file operation by the user herself (e.g., benign encryption or compression). To address these challenges, in this paper, we introduce a ransomware detection mechanism, RWGuard, which is able to detect crypto-ransomware in real-time on a user’s machine by (1) deploying decoy techniques, (2) carefully monitoring both the running processes and the file system for malicious activities, and (3) omitting benign file changes from being flagged through the learning of users’ encryption behavior. We evaluate our system against samples from 14 most prevalent ransomware families to date. Our experiments show that RWGuard is effective in real-time detection of ransomware with zero false negative and negligible false positive (~ 0.1%) rates while incurring an overhead of only ~1.9%.
UR - http://www.scopus.com/inward/record.url?scp=85053892372&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85053892372&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-00470-5_6
DO - 10.1007/978-3-030-00470-5_6
M3 - Conference contribution
AN - SCOPUS:85053892372
SN - 9783030004699
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 114
EP - 136
BT - Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings
A2 - Bailey, Michael
A2 - Ioannidis, Sotiris
A2 - Stamatogiannakis, Manolis
A2 - Holz, Thorsten
PB - Springer Verlag
Y2 - 10 September 2018 through 12 September 2018
ER -